How To Delete Invisible WordPress Admin Users?

Invisible WordPress admin users are often a sign of a hacked website or malware infection. Attackers create hidden administrator accounts to regain access to your website, inject malicious scripts, steal data, or maintain control without being detected inside the standard WordPress dashboard.

If you notice suspicious activity, unknown admin accounts, or unauthorized website changes, it is important to remove these hidden users immediately. According to Wordfence, WordPress sites experience an average of 172 attack attempts per day. Hidden admin accounts are one of the most common signs of a successful breach.

TL;DR: Remove Invisible Admins

• Invisible WordPress admin users are hidden accounts created by malware after a site is compromised.

• They do not appear in the WordPress dashboard but exist in the database with full administrator access.

• Removing them requires accessing phpMyAdmin and running a direct database query.

• Always create a full backup before making any database changes.

• After removal, update all plugins, enable two-factor authentication, and review admin accounts monthly to prevent them from returning.

Understanding WordPress User Roles and Permissions

Before removing hidden profiles, it helps to understand the user roles WordPress supports. Knowing which roles exist makes it easier to spot accounts that should not have administrator access in the first place.

WordPress has six user roles. Here is what each one can and cannot do:

• Super Admin: Has complete control over a WordPress multisite network and can manage all sites from a single installation. This is the highest level of access available.

• Administrator: Has full control over a single WordPress site, including settings, users, plugins, and themes. Any hidden account created by malware will typically use this role.

• Editor: Can create, edit, publish, and delete any posts or pages, including those written by other users. Cannot access site settings or install plugins.

• Author: Can write, edit, and publish their own posts only. Cannot access or modify other users’ content.

• Contributor: Can write and edit their own posts, but cannot publish them without administrator approval.

• Subscriber: Can only manage their own profile. Has no access to site content, settings, or other users.

When checking for hidden accounts, focus on the Administrator and Super Admin roles. These are the only two roles that give an attacker meaningful access to your site.

Common Signs of Hidden Admin Accounts in WordPress

Hidden administrator accounts are often linked to hacked WordPress websites, malware infections, or unauthorized access attempts. Detecting these warning signs early can help prevent data loss, website downtime, and recurring security breaches.

• Unknown Administrator Accounts: Suspicious admin users appear inside WordPress without being created by authorized website owners or administrators.

• Unauthorized Plugin or Theme Installations: New plugins, themes, or files are added without permission and may contain malicious scripts or backdoors.

• Suspicious Redirects and Spam Pages: Website visitors are redirected to unknown websites, spam pages, or phishing links without authorization.

• Unexpected Website Changes: Content, settings, user permissions, or website files change unexpectedly without any approved updates or edits.

• Login and Security Issues: Frequent login failures, locked administrator accounts, or unusual login activity may indicate unauthorized access attempts.

• Slow Website Performance: Malware infections and hidden admin accounts can increase server load, resulting in slower page load times and website instability.

Why Hidden WordPress Admin Users Are a Serious Security Risk?

Hidden administrator accounts can give attackers complete control over your WordPress website without your knowledge. These unauthorized users are often created after malware infections, plugin vulnerabilities, or successful hacking attempts.

• Unauthorized Website Access: Hidden admin users enable attackers to access your WordPress dashboard and make unauthorized changes.

• Malware Injections: Hackers can inject malicious scripts, spam content, phishing links, or harmful files into your website.

• SEO Spam and Redirects: Unauthorized users may create spam pages or redirect visitors to malicious websites, damaging your search rankings and reputation.

• Data Theft and Security Breaches: Attackers can steal customer information, login credentials, and sensitive website data.

• Website Downtime and Performance Issues: Malware infections and hidden admin accounts can slow your website, cause crashes, and compromise overall stability.

How to Remove Invisible Admins from Your WordPress Website?

There is no automated way to remove hidden admin accounts from within the WordPress dashboard. Because these accounts are injected directly into the database, they can only be found and deleted using phpMyAdmin, a web-based database management tool available through most hosting control panels.

Follow these steps carefully. Do not skip the backup step.

Step 1: Create a Backup

Before touching anything in the database, create a full backup using UpdraftPlus or BackupBuddy. Both plugins create a complete backup in minutes and let you restore your site with a single click if something goes wrong.

If you make a mistake during cleanup, a recent backup lets you reverse it without losing anything. Do not skip this step.

Step 2: Create a New Admin Account

If your current admin username is “admin” or your own name, replace it now. Predictable usernames are among the first targets in brute-force attacks.

Create a new administrator account with a username that is not easy to guess. Log out of your current account, then log back in as the new one before proceeding. This keeps your admin access intact while you work through the next steps.

Step 3: Log in to phpMyAdmin

phpMyAdmin is a web-based tool for managing your WordPress database directly. You will find it in your hosting control panel under the database management section. Most hosting providers, including Cloudways and Bluehost, include it by default.

Open your wp-config.php file to find your database name, username, and password. You will need these to log in.

Step 4: View Your Database

After logging in, click your database name in the left column. A list of tables will appear. Two tables matter here:

• wp_users: Lists every registered user on your site. Write down the User ID numbers you see here. These are your legitimate accounts. Anything that does not appear here but shows up in the next step is a hidden account.

• wp_usermeta: Stores metadata for each user, including their assigned role. Hidden admin accounts injected by malware are stored here.

Step 5: Identify and Remove the Users

Click the SQL tab at the top of the phpMyAdmin screen. Paste the query below into the text box and click Go:

select * from wp_usermeta where meta_value LIKE '%administrator%';

This returns every user ID that has been assigned administrator privileges. Compare these IDs against the ones you noted from wp_users. Any ID that appears in the query results but not in your wp_users table is a hidden admin account that needs to be removed.

Step 6: Delete the Hidden Accounts

Delete every user ID from the query results that does not appear in your wp_users table. Only remove those specific rows. Do not touch anything else in the database.

Once done, go back to your WordPress dashboard and open the Users section. Check that the hidden accounts are gone and that your own admin account remains. The list should now show only the accounts you recognize.

How to Prevent Hidden Admin Users in WordPress?

Preventing hidden admin users requires regular WordPress security monitoring and proactive website maintenance. Strong security practices help reduce the risk of malware infections, unauthorized administrator accounts, and future hacking attempts.

• Use Strong Administrator Passwords: Weak passwords make it easier for attackers to gain access through brute force. Use a password manager to generate a unique, at least 16-character password for each admin account.

• Enable Two-Factor Authentication: Two-factor authentication adds an extra verification step to the login process. Even if an attacker has your password, they cannot access the account without the second factor. Plugins like WP 2FA handle this in minutes.

• Update Plugins and Themes Regularly: Outdated plugins and themes often contain vulnerabilities that hackers can exploit.

• Scan for Malware Frequently: Run weekly scans using Wordfence or Solid Security. These tools detect suspicious files, malicious scripts, and newly created admin accounts that fall outside normal activity patterns.

• Limit Login Attempts: Install Limit Login Attempts Reloaded to automatically block repeated failed login attempts. Brute force attacks rely on unlimited attempts to crack credentials.

• Remove Unused Plugins and Users: Inactive plugins are potential entry points. Deactivate and delete any plugin or theme not actively in use. Remove user accounts for anyone who no longer needs access.

• Use a WordPress Firewall: A web application firewall filters malicious traffic before it reaches your site. Wordfence and Cloudflare both offer firewall protection suited to WordPress sites of all sizes.

Conclusion

Invisible WordPress admin users are almost always a sign that something more serious has happened to your site. Removing them through phpMyAdmin clears the immediate threat, but the vulnerability that let the attacker in still needs to be addressed.

Update every plugin and theme, change all admin passwords, enable two-factor authentication, and run a full malware scan before considering the site clean. A hidden account that keeps returning means the root cause has not been fixed.

FAQs About Removing Invisible WP Admins